Originally published by our sister publication Infectious Disease Special Edition

By Marie Rosenthal, MS

An investigation following a phishing attack that affected the electronically protected health information of almost 35,000 patients belonging to a Louisiana medical group resulted in a payment of $480,000 to the Department of Health and Human Services, according to its Office for Civil Rights (OCR).

This marks the first settlement OCR has resolved involving a phishing attack under the HIPAA Privacy Rule, the agency said. Phishing, which uses electronic communication such as email, tricks people into disclosing sensitive by posing as a trustworthy source.

“What happened to Lafourche is relevant to any healthcare organization. Every healthcare provider that has protected health information (PHI) must comply with the HIPAA Privacy Rule. That would include a doctor’s office or hospital,” explained Rob Else, a cybersecurity advisory consultant with Eide Bailly in Omaha, Neb. Mr. Else was not part of the breach or the investigation, but shared his expertise.

The Lafourche Medical Group (LMG) operates two urgent care facilities in Louisiana that provides services to communities in South Louisiana. LMG consists of five healthcare providers specializing in emergency medicine, occupational medicine, laboratory testing and specialty services. 

On May 28, 2021, LMG filed a breach report with HHS stating that a hacker, through a successful phishing attack on March 30, 2021, gained access to an email account that contained electronically PHI, such as medical diagnoses, frequency of visits to a therapist or other healthcare professionals, and where an individual seeks medical treatment.

The OCR investigated and found that prior to the 2021 reported breach, Lafourche failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronically PHI across the organization as required by HIPAA. The OCR also discovered that the group had no policies or procedures in place to regularly review information system activity to safeguard PHI against cyberattacks.

“Once LMG learned about the breach they were required to report it and notify their patients. It sounds like there were 34,862 patients that could potentially be impacted, but LMG wasn’t able to confirm exactly which patients were impacted so they notified all of them,” Mr. Else said. “The OCR’s investigation found that LMG failed to conduct a risk assessment and didn’t have the proper policies and procedures in place to project PHI.”

As a result, LMG agreed to pay $480,000 to OCR and to implement a corrective action plan that will be monitored by OCR for two years. Lafourche Medical Group will take the following steps to resolve and comply with the agreement:

  • establishing and implementing security measures to reduce security risks and vulnerabilities to electronic PHI in order to keep patients’ information secure;
  • developing, maintaining and revising written policies and procedures as necessary to comply with the HIPAA Privacy Rule; and
  • providing training to all staff members who have access to patients’ PHI on HIPAA policies and procedures.

“To my knowledge, patients don’t see a dime of the money,” Mr. Else said. “Most often the company that was breached, LMG in this case, provides them with identity or credit monitoring services for a period of time. I have not seen anything in this case that mentions credit monitoring or any other kind of identity protection being provided to the patients,” Mr. Else said.

“It’s important that healthcare organizations take proactive measures to protect themselves. An annual risk assessment is a great tool to identify and prioritize risks to systems and data. It’s important that you identify both the assets that need to be protected and the threats that you face. It’s also important to provide employees with security awareness training. I have seen reports that say 91% of successful data breaches start with a phishing attack. You need to be training and testing your employee’s ability to identify not only phishing attacks but other social engineering attacks as well,” Mr. Else said. (For more from Mr. Else, check out this video).

“Phishing is the most common way that hackers gain access to healthcare systems to steal sensitive data and health information,” said OCR Director Melanie Fontes Rainer. “It is imperative that the healthcare industry be vigilant in protecting its systems and sensitive medical records, which includes regular training of staff and consistently monitoring and managing system risk to prevent these attacks. We all have a role to play in keeping our healthcare system safe and taking preventive steps against phishing attacks.”

Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, and negative consequences to the reputation, health or physical safety of the individual or to others identified in the individual’s PHI. Healthcare providers, health plans and data clearinghouses regulated by HIPAA are required to file breach reports with HHS. 

Based on the large breaches reported to OCR this year, more than 89 million individuals have been affected by large breaches. In 2022, more than 55 million individuals were affected.